Nirbot Neutered?

ATLAS is one of my dreams coming to fruition. I love data, and I love a global view. Watching and measuring the recent Nirbot activity is the sort of thing is what I love about it, and I think it’s something that other people love about it.

Last weekend, the weekend of the 14th, Nirbot rolled the MS DNS RPC exploits into the botnet. We saw this as a sudden uptick in the attacks around 22:30 GMT that Sunday night, and careful triangulation of the data from several sources suggests that our initial theories were correct. Takedown efforts of the “rofflewaffles.us” domain began, and the efforts met with quick success. How quick? Have a look at the MSFT DNS RPC interface attacks we were tracking over the past week. BAM! Huge drop off, just as fast as it began, on Tuesday at about 14:00 GMT.

MS DNS RPC Attacks 8 days

Nirbot’s been a huge source of another set of attacks we’ve been tracking in the past few months, as well, the Symantec AV realtime VirusScan attack on TCP ports 2967 and 2968. Given that Nirbot’s involved in that, we would expect to see a similar drop in attack activity at about the same time and, sure enough, we do.

SYMC06-010 Attacks 8 days

The MS DNS exploits rose quickly into the ATLAS top 10 attacks, and quickly fell out once Nirbot was neutered. The Symantec attacks, which had been holding onto a steady first place in global attack activity, are now only in the top 5. A huge change in the past week, and some major efforts to get the Internet cleaned up. If anyone doubts real progress in botnets, they should look at this as a case study of getting it right (albeit belatedly).

3 Responses to “Nirbot Neutered?”

April 23, 2007 at 11:12 am, BelchSpeak said:

I’m not familiar with how this bot worked. How was it neutered? Typically bots die when the the command host is cut off or if the malware hosting site is disabled. Seems unusual that activity would just… stop.

Love your analysis! Keep posting stuff like this.

April 23, 2007 at 12:24 pm, www.andrewhay.ca » Suggested Blog Reading - Friday April 20th, 2007 said:

[…] Nirbot Neutered? Nirbot’s been a huge source of another set of attacks we’ve been tracking in the past few months, as well, the Symantec AV realtime VirusScan attack on TCP ports 2967 and 2968. Given that Nirbot’s involved in that, we would expect to see a similar drop in attack activity at about the same time and, sure enough, we do. […]

April 26, 2007 at 9:35 am, Liquidmatrix Security Digest » Your April 26th Morning Coffee said:

[…] Nirbot Neutered? […]

Comments are closed.